CSIDH on the surface

CSIDH on the surface

Wouter Castryck and Thomas Decru

Cosic and Imec, Department of Electrical Engineering, KU Leuven [email protected], [email protected]

Abstract. For primesp≡3 mod 4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ringZ[(1 +√−p)/2], amounts to just a few sign switches in the under-lying arithmetic. Ifp≡7 mod 8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single expo-nentiation inFp) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This im-provement is completely orthogonal to all previous speed-ups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the sur-face gets rid of the redundant factorZ3 of the acting ideal-class group,

which is present in the case of CSIDH and offers no extra security.

Keywords: isogeny-based cryptography, hard homogeneous spaces, CSIDH, Montgomery curves

1

Introduction

A hard homogeneous space [10] is an efficiently computable free and transitive action ? : G×S → S of a finite commutative group G on a set S, for which the parallelization problem is hard: given s0, s1, s2 ∈S, it should be infeasible to findg1g2? s0, whereg1, g2 ∈Gare such that s1=g1? s0 and s2 =g2? s0. This generalizes the notion of a cyclic group C in which the Diffie–Hellman problem is hard, as can be seen by considering the set S of generators of C, acted upon by G= (Z_|C|)× through exponentiation. The main appeal of hard homogeneous spaces lies in their potential for post-quantum cryptography: while exponentiation-based Diffie–Hellman succumbs to Shor’s polynomial-time quan-tum algorithm [22], in this more general setting the best attack available is Kuperberg’s subexponential-time algorithm for finding hidden shifts [16]. This line of research has led to a number of efficient post-quantum cryptographic primitives, such as non-interactive key exchange [7] and digital signatures [4], which stand out in terms of bandwidth requirements, and verifiable delay func-tions [11].

elliptic curves over finite fields, whose use in cryptography was proposed inde-pendently by Couveignes [10] and Rostovtsev–Stolbunov [20,23,24]. The current paper revisits CSIDH [7], which is an incarnation of this idea, using supersingu-lar elliptic curves rather than ordinary elliptic curves (as originally suggested), thereby speeding up the resulting protocols by several orders of magnitude.

Concretely, we focus on the following design choice of CSIDH: as put forward in [7], it works over a large finite prime fieldFp withp≡3 mod 8, and it acts by G = C`(Z[√−p]) on the set S of Fp-isomorphism classes of elliptic curves with endomorphism ring Z[√−p] — such curves are said to live on the floor. The motivation for this choice comes from [7, Prop. 8], which identifiesS with

S_p+={a∈Fp|y2=x3+ax2+xis supersingular},

i.e., every curve on the floor has a unique representative in Montgomery form and, conversely, every supersingular Montgomery curve over Fp has endomor-phism ringZ[√−p]. This convenient fact allows for compact and easily verifiable public keys. Furthermore 0∈S+p makes for a natural choice ofs0.

Contributions

The main contributions of this paper are as follows.

(a) One of our main observations is that for p≡7 mod 8, a very similar state-ment applies to thesurface, consisting ofFp-isomorphism classes of elliptic curves with endomorphism ringZ[(1 +√−p)/2]. Concretely, we show that this set can be identified with

S_p−={A∈Fp|y2=x3+Ax2−xis supersingular}, (1)

which again contains 0 as a convenient instance ofs0. The tweaked Mont-gomery formy2_=x3_+Ax2_{−xdoes not seem to have been studied before.} From the viewpoint of efficient arithmetic, it is equivalent with the standard Montgomery form: we will show that the required adaptations to the Mont-gomery ladder and to V´elu’s isogeny formulae (in the version of Renes [19]) just amount to a few sign flips, with the exception of 2-isogenies, which re-quire a separate treatment. Therefore, the protocols built from the action of C`(Z[(1 +√−p)/2]) on Sp− are near-copies of those built from CSIDH.1 (b) If p≡7 mod 8 then the prime 2 splits in Q(√−p), which allows for the use

of horizontal 2-isogenies. We show that computing 2-isogenies is an order of magnitude faster than computing `-isogenies for odd `. The cost of a 2-isogeny is dominated by a single exponentiation over Fp, leading to a noticeable speed-up (e.g., our CSURF-512 protocol below performs about 5.68% faster than CSIDH-512). We stress that this improvement is totally orthogonal to all previous speed-ups, constant-time measures (see e.g. [9,15]) and cryptographic applications (see e.g. [7,4,11]) that have appeared in the literature so far.

1

We note along the way that, by working on the surface, we naturally get rid of the factor Z3 that is present in C`(Z[

√

−p]) when p≡ 3 mod 8. Because of the interplay between floor and surface, this factor does not give extra security (see Remark2). Furthermore, it provides a possible hindrance for isogeny-based threshold schemes: when using more than two parties one must map the prob-lem into C`(Z[√−p])3_{, which comes at a small cost if the group structure is} unknown [12].

Apart from these benefits, given the limited pool of hard homogeneous spaces available, having the complete supersingular picture at our disposal adds freedom to the parameter selection and leads to a better understanding of the interplay between floor and surface. This being said, primesp≡1 mod 4 are omitted from our discussion, the main reason being Lemma1below: for suchp, supersingular elliptic curves overFp never admit a model of the formy2=x3+Ax2±x. This complicates comparison with [7]. It is possible that other elliptic curve models can fill this gap, but we leave that for future research.

Acknowledgments

A partial proof of Theorem 3 below can be found in Berre Baelen’s master thesis [1], which was the direct inspiration for this research. We thank Luca De Feo for pointing out the relevance to isogeny-based threshold schemes [12], and Frederik Vercauteren for helpful feedback regarding the proof of Lemma4. We also note that independent and near-simultaneous work by Fan, Tian, Li and Xu [14] largely overlaps with the material in Section3. This work was supported in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019 and by CyberSecurity Research Flanders with reference number VR20192203.

2

Background, and formulation of our main theorem

Consider a prime number p > 3 and a supersingular elliptic curve E/Fp. Its Frobenius endomorphism πE satisfies πE ◦πE = −p, hence Z[√−p] can be viewed as a subring of the ring Endp(E) ofFp-rational endomorphisms ofE. If p≡1 mod 4 then this leaves us with one option for Endp(E), namelyZ[

√ −p] itself. If p≡3 mod 4, which is our main case of interest, then we are left with two options for Endp(E), namelyZ[

√

−p] andZ[(1 +√−p)/2].

For each such option O, we let E``p(O) denote the set of Fp-isomorphism classes of elliptic curves E/Fp for which Endp(E) ∼= O. If p ≡ 3 mod 4 then E``p(Z[√−p]) is called the floor, whereas E``p(Z[(1 +√−p)/2]) is called the surface; this terminology stems from the structure of the 2-isogeny graph of supersingular elliptic curves overFp, see Delfs–Galbraith [13].

the codomain curves all live on the floor. If p≡ 7 mod 8 then only one of the codomain curves is located on the floor.

Recall thatS_p− denotes the set of all coefficientsA∈Fpsuch thatEA−:y2= x3+Ax2−xis a supersingular elliptic curve. The elements of S_p−will be called Montgomery− coefficients and the corresponding elliptic curves Montgomery− curves. As we will see below, such curves are always located on the surface. Mutatis mutandis, the set Sp+ contains the Montgomery+ coefficientsa∈Fp\ {±2}such that theMontgomery+ curveEa+:y2=x3+ax2+xis supersingular. If p≡3 mod 8 then such curves are necessarily located on the floor. However, this is not true ifp≡7 mod 8, in which case we will occasionally writeS_p,+_O to denote the subset ofS+

p corresponding to curves with endomorphism ringO. To everyE∈ E``p(O) and everya⊆ Owe can associate the subgroup

E[a] = \ φ∈a

{P ∈E|φ(P) =∞ } ⊆ E,

where, of course, φ should be viewed as an endomorphism of E through the isomorphism Endp(E)∼=OidentifyingπE with

√

−p. We then have:

Theorem 1. The mapρ: C`(O)× E``p(O)→ E``p(O) sending ([a], E) toa? E:=E/E[a] is a well-defined free and transitive group action.

Proof. See [21, Thm. 4.5] and its proof.

Here C`(O) denotes the ideal-class group of O, and [a] denotes the class of an invertible ideala⊆ O.

The assumption underlying CSIDH is that this is a hard homogeneous space, as soon as p is large enough. From a constructive point of view, the following version of Theorem1, obtained by incorporating [7, Prop. 8] and V´elu’s isogeny formulas (in the version of [19, Prop. 1]), forms its backbone.

Theorem 2. Ifp≡3 mod 8then the mapρ+_:C`(Z[√_−p])×S+

p →Sp+sending ([a], a)to

[a]? a:=



  

a−3 X P∈E+

a[a]

P6=∞

x(P)− 1 x(P)



  

· Y

P∈E+ a[a]

P6=∞ x(P)

is a well-defined free and transitive group action. Here we assume(0,0)∈/ E+ a[a]. The assumption (0,0)∈/ E+

a[a] is not a restriction sinceC`(Z[ √

−p]) is generated by ideals of odd norm, and by design CSIDH acts by such ideals only.2

Our main theoretical tool is the following variant of Theorem2, on which our CSURF-512 protocol from Section6 relies:

2

Theorem 3. If p≡3 mod 4then the maps

ρ−:

C`(Z[√−p])×S<sub>p</sub>−→S<sub>p</sub>−ifp≡3 mod 8, C`(Z[(1 +√−p)/2])×S_p−→S_p−ifp≡7 mod 8

sending([a], A)to

[a]? A:=



   

A−3 X P∈E−_A[a]

P6=∞

x(P) + 1 x(P)



   

· Y

P∈E_A−[a] P6=∞

x(P)

are well-defined free and transitive group actions. Here, we assume that the ideal a representing[a]has odd norm.

We again note that the class group is generated by ideals of odd norm. However, ifp≡7 mod 8 thenC`(Z[(1 +√−p)/2]) also admits invertible ideals of norm 2, which can be used to speed up the evaluation ofρ− significantly. These require a separate treatment, which is outlined in Section4.

Apart from a striking analogy with Theorem2, the reader might notice that Theorem 3 is in seeming conflict with Theorem 1 when p≡ 3 mod 8. Indeed, since the curves E_A− always have endomorphism ring Z[(1 +√−p)/2], it seems thatρ−_{is acting by the wrong class group! However, in Section3we will see that} every curve on the surface hasthree representants inS_p−, and at the same time |C`(Z[√−p])|= 3|C`(Z[(1 +√−p)/2]|. It turns out that, somewhat surprisingly, V´elu’s formulas consistently link both factors 3 to each other.

We note that Theorem2 can be extended to cover p≡7 mod 8 as well, by merely adding a subscriptZ[√−p] toS+

p. But for suchpthere is also a surface version of Theorem2, which is more subtle and will be discussed in Section5.

Further notation and terminology

The identity element of an elliptic curve E will be denoted by ∞ and context will make it clear to which curve it belongs. Animportant conventionis that ifp≡3 mod 4, then foraa square inFpwe denote by

√

athe unique square root which is again a square; this can be computed asa(p+1)/4_{. Finally, forB∈Z}

>0 we write [−B;B] for the set of integers [−B, B]∩Z.

3

Properties of Montgomery

curves

3.1 Montgomery− _{arithmetic: just a few sign flips}

Proposition 1. Let E−_A :y2_=x3_+Ax2_{−xbe an elliptic curve over a fieldK} of characteristic different from two, withP, Q∈E_A−(K).

1. IfP =∞orx(P)3_+Ax(P)2_{−x(P) = 0, then2P=∞. Else}

x(2P) = (x(P) 2_{+ 1)}2

4(x(P)3_+Ax(P)2_−x(P)).

2. If{P, Q, P+Q, P−Q} ∩ {∞}=∅, then

x(P+Q)x(P−Q) =(x(P)x(Q) + 1) 2

(x(P)−x(Q))2 .

Proof. This is almost a copy of the corresponding proofs in [2].

Likewise, computing odd degree isogenies between Montgomery−curves just amounts to a few sign changes with respect to the formulas from [19, Prop. 1], leading to the following statement (we will treat 2-isogenies separately in Sec-tion4).

Proposition 2. Let E_A−:y2_=x3_+Ax2_{−xbe an elliptic curve over a field of} characteristic not two. LetG⊆E_A−(K)be a finite subgroup such that|G|is odd, and let φbe a separable isogeny such thatker(φ) =G. Then there exists a curve E_B−:y2_=x3_+Bx2_{−xsuch that, up to composition with an isomorphism,}

φ:E_A−→E_B−

(x, y)7→(f(x), c0yf0(x)),

where

f(x) =x Y T∈G\{∞}

xxT + 1 x−xT .

Writing

π= Y

T∈G\{∞}

xT, σ=

X

T∈G\{∞}

xT + 1 xT

,

we also have that B=π(A−3σ),c20=π.

Proof. Leti, θ ∈K¯ be such thati2 =−1 and θ2 =i, and let `=|G|. We will construct the isogenyφas the concatenation ofφ3◦φ2◦φ1as illustrated in the following diagram,

E_A− E_B−

Ea+ E

+ b φ

φ1

φ2

where φ2 : Ea+ →E +

b is the isogeny from [19, Prop. 1], and the elliptic curves are given by the Montgomery+ _{forms E}+

a :y2 =x3+ax2+xand E + b : y

2 ₌ x3_+bx2_+x.

The isogenies φ1 and φ3 are in fact isomorphisms (over an extension field) given by

φ1:E−A →E + a (x, y)7→(−ix, θy)

and

φ3:Eb+→E − B (x, y)7→(ix,−iθy).

It is easy to verify that a = −iA and B =ib. The rest of the proof is just a straightforward calculation. With the formulas from [19] we can compute the coefficientbas ˜π(a−3˜σ) = (−i)`π(A−3σ) where

˜

π= Y

T∈φ1(G)\{∞}

xT =

Y

T∈G\{∞}

−ixT = (−i)`−1π,

˜

σ= X

T∈φ1(G)\{∞}

xT− 1 xT

= X

T∈G\{∞}

−ixT+ 1 ixT

=−iσ.

Similarly if we define

˜ f =x



 Y

T∈φ1(G)\{∞}

_xxT−1

x−xT



,

then with ˜c02= ˜π= (−i)`−1π, we have

(φ2◦φ1)(x, y) =

˜

f(−ix),c˜0θyf˜0(−ix)

=



−ix

Y

T∈φ1(G)\{∞}

_{−ixxT −1}

−ix−xT

,c˜0θyf˜0(−ix)





=



−ix Y

T∈G\{∞}

−xxT −1 −ix+ixT

,c˜0θyf˜0(−ix)





=−i`f(x),c˜0θyf˜0(−ix)

= −i`f(x),c˜0θy(−i)`−1f0(x).

If we assume`≡1 mod 4 then (−i)`−1_{= 1 such that ˜c}

0is just a square root ofπ. Composing this withφ3(x, y) = (ix,−iθy) we get that

as well asB=π(A−3σ). In this case we letc0= ˜c0.

If`≡3 mod 4 then ˜c02 =−πand the isogeny may not be defined over K. Post-composing it with the isomorphismτ : (x, y)7→(−x, iy) fixes this if needed. In this case we find

φ(x, y) = (f(x),−ic˜0yf0(x)),

and againB=π(A−3σ). Definingc0=−ic˜0finishes the proof.

As usual, it is better to use projective coordinates to avoid costly field inver-sions, i.e., to represent the x-coordinate of a projective pointP = (X :Y :Z) asx(P) =X/Z; the required adaptations are straightforward.

3.2 Locating supersingular Montgomery± curves

We now switch to curves over finite prime fieldsFp. The lemma below shows that supersingular Montgomery− _{curves overF}

p are always located on the surface. Lemma 1. Letp >3be a prime number and letA∈Fp be such thatEA−:y

2₌ x3+Ax2−xis supersingular. Thenp≡3 mod 4, and there is noP ∈E−_A(Fp) such that 2P = (0,0); in particular,Endp(EA−)∼=Z[(1 +

√ −p)/2].

Proof. LetP be a point doubling to (0,0); note that, necessarily, both coordi-nates are non-zero. The tangent line at P has slope

3x(P)2_{+ 2Ax(P)−1} 2y(P) .

But, since the line should pass through (0,0), a simpler expression for this slope isy(P)/x(P). Equating both expressions leads tox(P)2_{+ 1 = 0. Now:}

– Ifp≡1 mod 4 then we concludex(P) =±i∈Fpand hencey(P)2=−A∓2i. If both expressions on the right-hand side are non-squares then their product A2_{+ 4 is a square, but then x}3_+Ax2_{−xfactors completely over F}

p. We conclude that in any case 4| |E_A−(Fp)|=p+ 1, which is a contradiction. – Ifp≡3 mod 4 then this shows that such a pointP cannot beFp-rational.

But then E−_A(Fp)[2∞]∼=Z/(2e)×Z/(2) for somee≥1, since|E−A(Fp)|= p+ 1≡0 mod 4. Thus there are 3 outgoingFp-rational 2-isogenies, hence in view of [13, Thm. 2.7] our curve must be located on the surface.

The conclusionp≡3 mod 4 also applies to supersingular Montgomery+ _curves, since it is known [2] that these always carry anFp-rational point of order 4.

So, from now on, let us assume thatp ≡3 mod 4. Then the above lemma settles the ‘if’ part of Proposition4 below, which can be viewed as the surface version of the following statement:

Proposition 3. Let p > 3 be a prime number such that p≡ 3 mod 4 and let E be a supersingular elliptic curve over Fp. If Endp(E)∼= Z[

√

−p] then there exists a coefficient a ∈ Fp\ {±2} for which E is Fp-isomorphic to the curve E+

– this coefficient is always unique,

– ifp≡3 mod 8then the converse implication holds as well.

Proof. Ifp≡3 mod 8 then this is [7, Prop. 8]. Ifp≡7 mod 8 then the relevant part of the proof of [7, Prop. 8] still applies.

Proposition 4. Let p >3 be a prime number such thatp≡3 mod 4and letE be a supersingular elliptic curve over Fp. Then Endp(E) ∼=Z[(1 +

√

−p)/2] if and only if there exists a coefficientA∈Fp for whichEisFp-isomorphic to the curveE_A− :y2_=x3_+Ax2_{−x. Furthermore,}

– ifp≡3 mod 8then there exist exactly three such coefficients, – ifp≡7 mod 8then this coefficient is unique.

We will prove this proposition by means of the following convenient tool, connecting floor and surface:

Lemma 2. Let p >3 be a prime number such thatp≡3 mod 4. Then

τ:S_p,+_Z[√

−p] →S −

p :a7→ −2a/

p

4−a2

is a well-defined bijection.

Proof. For a, b ∈ Fp with a2−4b 6= 0 let us write Ea,b for the elliptic curve y2=x3+ax2+bx, which admits the well-known 2-isogeny

Ea,b→E−2a,a2_−4b:P 7→

( _y(P)2

x(P)2, y(P)(1−

b x(P)2)

ifP 6= (0,0),∞

∞ ifP ∈ {(0,0),∞}. (2)

Ifa∈S_p,+_Z[√

−p] then we find that E +

a =Ea,1 is 2-isogenous to the curve

E−2a,a2₋₄:y2=x3−2ax2+ (a2−4)x,

which is necessarily supersingular. SinceE+

a lives on the floor we see thata2−4 is not a square in Fp, hence 4−a2 is a square and letting δ =

√

4−a2_{, the} substitution x← δx, y ←δ3/2_{y transforms the above equation into y}2 _=x3₋ 2a/√4−a2_x2_{−x. We conclude thatτ is indeed well-defined.}

Conversely, ifA∈S_p− then we find that E_A−=EA,−1is 2-isogenous to

E−2A,A2+4:y2=x3−2Ax2+ (A2+ 4)x.

Since E_A− lives on the surface by Lemma 1, we have that A2_{+ 4 is a square} in Fp. Letting δ =

√

A2_{+ 4, the same substitution transforms our equation} into y2 _=x3_−2A/√_A2_{+ 4x}2_{+x. It is easily checked that this curve has no} Fp-rational points of order 2 besides (0,0), hence the map

S_p−→S_p,+_Z[√

−p] :A7→ −2A/

p

A2_{+ 4 (3)}

Proof of Proposition4. By Proposition 3 eachFp-isomorphism class of elliptic curves on the floor is represented by a unique Montgomery+ _{curve. Since such} curves have a uniqueFp-rational point of order 2, the proof of Lemma2 shows thatFp-rational 2-isogenies give a 1-to-1 correspondence betweenE``p(Z[

√ −p]) andS−_p. But on the level of Fp-isomorphism classes, by [13, Thm. 2.7] this cor-respondence is 3-to-1 ifp≡3 mod 8 and 1-to-1 ifp≡7 mod 8.

If p ≡ 7 mod 8 then Proposition 3 leaves open whether or not there exist a∈S+

p such thatEa+ is located on the surface. To answer this, we rely on the following lemma.

Lemma 3. If p≡7 mod 8 then every E ∈ E``p(Z[(1 +√−p)/2]) comes with three distinguished points of order2:

– P−, the x-coordinates of whose halves are not defined overFp, – P₁+, whose halves are not defined overFp, but their x-coordinates are, – P₂+, whose halves are defined over Fp.

Proof. From the structure of E(Fp)[2∞] one sees that there is indeed a unique pointP₂+ of order 2 whose halves areFp-rational. If we positionP2+at (0,0) we find a modely2=x3+ax2+bx, where necessarilybis a square, as can be seen by mimicking the proof of Lemma1. When translating the other points of order 2 to the origin we get similar equations, of which the coefficients at xbecome δ(δ±a)/2 with δ = √a2_{−4b. The product of these coefficients equals −bδ}2_, hence we conclude that one coefficient is a non-square and one coefficient is a square. So, again as in the proof of Lemma1, we see that the former translated point equalsP−, while the latter translated point equalsP₁+.

Corollary 1. If p≡7 mod 8 then each E ∈ E``p(Z[(1 +√−p)/2]) admits ex-actly 2 coefficients a ∈ Fp\ {±2} for which E is Fp-isomorphic to the curve Ea+:y2=x3+ax2+x.

Proof. By Proposition4, such curves admit a unique Montgomery−model. Note that, for this model,P− is positioned at (0,0). The two Montgomery+ _models are obtained by translatingP₁+ or P₂+ to (0,0) and scaling down the resulting b-coefficient (which is a square) to 1, by means of a coordinate change.

Table1summarizes how and with what frequency Montgomery±curves show up as representatives ofFp-isomorphism classes of supersingular elliptic curves. Figures1 and2give an accompanying visual representation.

4

2-isogenies between Montgomery

curves

S−p

E``p(Z h

1+√−p

2

i )

E``p(Z[√−p])

S+ p

Fig. 1. The supersingular isogeny graph over Fp with p≡ 3 mod 8. The black dots represent supersingular elliptic curves up toFp-isomorphism. The yellow lines represent the2-isogenies, which are necessarily between the surface and the floor.

The purple lines represent the`-isogeniesfor some fixed`such that (`, π−1) generates

C`(Z[√−p]). This implies that the`-isogenies on the floor create one big cycle which we need to depict as spiraling around three times. Indeed, the action of (`, π−1) on the surface should result in the same Fp-isomorphism class as first computing a vertical 2-isogeny taking us to the floor, then performing the action of (`, π−1), and finally computing a vertical 2-isogeny back to the surface.

The red dots and lines represent theMontgomery+ coefficients, which are 1-to-1 with the isomorphism classes on the floor. This correspondence forms the basis for the original CSIDH setting described in [7].

|S+_p,O|:|E``p(O)|

|Sp−|:|E``p(O)|

p≡3 mod 8O=Z h

1+√−p

2

i

0 (3 : 1)

O=Z[√−p] (1 : 1) 0

p≡7 mod 8O=Z h

1+√−p

2

i

(2 : 1) (1 : 1)

O=Z[√−p] (1 : 1) 0

p≡1 mod 4 0 0

Table 1. The ratio of the number of Montgomery± coefficients to the number of Fp-isomorphism classes of supersingular elliptic curves.

S+

p,Zh1+ √

−p 2

i

S+

p,Z[√−p]

Sp−

E``p(Zh1+

√ −p

2

i )

E``p(Z[√−p])

Fig. 2. The supersingular isogeny graph over Fp with p≡ 7 mod 8. The black dots represent supersingular elliptic curves up toFp-isomorphism. The yellow lines represent the2-isogenies, where we assumed that (2,(√−p−1)/2) generates the class group. The red dots and lines represent theMontgomery+ coefficients, which are 2-to-1 with the isomorphism classes on the surface and 1-to-1 with the isomorphism classes on the floor.

The blue dots and lines represent theMontgomery−coefficients, which are 1-to-1 with the isomorphism classes on the surface.

Lemma 4 (Addendum to Lemma3).Assumep≡7 mod 8and consider an elliptic curveE:y2_=x3_+ax2_{+bx∈ E``}

p(Z[(1 + √

−p)/2]). Let δ=√a2_−4b andT1= ((−a+δ)/2,0),T2= ((−a−δ)/2,0). Then:

1. if(0,0) =P− then T1=P2+ andT1=P1+, 2. if(0,0) =P₁+ thenT1=P2+ andT2=P−, 3. if(0,0) =P₂+ thenT1=P− andT2=P1+.

Proof. The change of coordinatesx←x+ (−a+δ)/2 yields

y2=x

x+−a+δ 2

(x+δ) =x3+−a+ 3δ

2 x

2₊δ(−a+δ)

2 x (4)

and positionsT1at the origin. As in the proof of Lemma1we see thatT1=P1+ orT1=P2+ if and only if the coefficientδ(−a+δ)/2 is a square, i.e., if and only if−a+δis a square.

In particular, for case2 it suffices to show that−a+δis a square. To this end, note that the 2-isogeny from the proof of Lemma 2 takes our input curve E : y2 _=x3_+ax2_{+bx to y}2 _=x3_−2ax2_+δ2_{x, while mappingP}+

2 to (0,0). But then an Fp-rational half of P2+ is mapped to an Fp-rational half of (0,0), which is necessarily of the form (±δ,p2δ2_{(−a±δ)). We conclude that at least} one of −a+δ or −a−δis a square, but then both elements are squares since their product equals the square 4b.

Similarly, for case3 it suffices to prove that−a+δis not a square. We can consider the same 2-isogeny, which now mapsP₁+to (0,0). Using that any point Q∈E(Fp2\F_p) doubling toP₁+ satisfiesπ_E(Q) =−Q, which is different from

bothQandQ+ (0,0), we conclude that the image ofP₁+cannot beFp-halvable. From this the desired conclusion follows.

Finally, to settle case1, consider the curve (4), whose point (0,0) is either P₁+ orP₂+. Also note that the first non-trivial factor in (4) corresponds toP−. But using the identity

−a+ 3δ 2

2

−4δ(−a+δ)

2 =

a+δ 2

2

,

we can rewrite (4) as

y2=x x−− −a+3δ

2 +

a+δ 2 2

!

x−− −a+3δ

2 −

a+δ 2 2

!

.

Using2 and the fact that (a+δ)/2 is a square, we see that if (0,0) =P₁+, then the first non-trivial factor of (4) would instead correspond toP₂+. We conclude that (0,0) =P₂+, from which the lemma follows.

This will be combined with the following fact:

Lemma 5. Assume thatp≡7 mod 8and letE∈ E``p(Z[(1 +√−p)/2]). Then

E

2, √

−p−1 2

=hP₂+i and E

2, √

−p+ 1 2

Proof. As in the proof of Lemma2one checks thatP−takes us down to the floor, so it suffices to prove the first equality. LetQ∈E(Fp) be such that 2Q=P2+ and let φ denote the endomorphism πE−1

2 , then φ(P +

2 ) = φ(2Q) = 2φ(Q) = πE(Q)−Q=∞, from which the statement follows.

The formulas to compute 2-isogenies between Montgomery− _{curves seem} easiest if we perform almost all of them on isomorphic Montgomery+_{curves. We} formulate the procedure in the form of an algorithm.

Algorithm 1 Computing the action of (2,(√−p−1)/2)e on A ∈ Sp−, with p≡7 mod 8

1: if e= 0then returnA 2: else

3: A←sign(e)·A 4: A←2A−3

√

A2+4

A+ √

A2₊₄

5: forifrom 2 toedo

6: A←2(3 +A(√A2_−4−A))

7: A← A+3 √

A2−4

r

2 √

A2−4A+ √

A2−4

8: returnsign(e)·A

Sketch of the proof of Algorithm 1. Note that quadratic twisting swaps the roles of P₁+ and P₂+, so with Lemma 5 in mind, we can simply flip the sign of A at the start and the end of the algorithm and focus on P₂+. Line 4 constitutes a translation x ← x+ (−a+δ)/2, which by Lemma 4 positions T1 = P2+ at the origin, followed by the 2-isogeny from (2) and a rescaling to obtain a Montgomery+ _curve.

Line6is immediate from [19, Proposition 2], where it should be noted that, due to our choice of canonical square root,x(P₂+) is always a square so that we do not need to consider possible twists. Line7 is just a translation followed by a rescaling to put everything back in Montgomery− form.

5

‘New’ hard homogeneous spaces

Proof of Theorem 3. Ifp ≡7 mod 8 then this follows immediately from Theo-rem1, along with Proposition2and the fact that eachFp-isomorphism class on the surface is represented by exactly one Montgomery− curve.

Ifp≡3 mod 8 then consider the bijectionτ from Lemma 2, and let ρ+ be the group action from Theorem 2. We then define

C`(Z[√−p])×S_p−→S−_p : ([a], A)7→τ(ρ+([a], τ−1(A))),

which is clearly a well-defined free and transitive group action, simply becauseτ is a bijection. So it suffices to show that this matches withρ−. For this, consider a Montgomery− coefficient A and an invertible ideal a ⊆ Z[√−p] having odd norm, along with the subgroup ofE_A− spanned byE_A−[a] and (0,0). We quotient out this subgroup in the following two ways:

– We first quotient out byE_A−[a], using the formulas from Proposition2, yield-ing a Montgomery− curve E_B−. Let us abusingly denote the corresponding isogeny by ρ−, and note that it maps (0,0) to (0,0). So we can continue by applying the 2-isogeny from (2), in order to arrive at the Montgomery+ curveE_τ+−1_(B) on the floor.

– Conversely, we apply the 2-isogeny from (2), taking us to the Montgomery+ curveE+_τ−1_(A). Note that this maps E

−

A[a] toE +

τ−1_(A)[a], which we quotient

out in turn, by means of the formulas from [19, Prop. 1]. By the same abuse of notation, we denote the latter isogeny byρ+. Because every curve on the floor is represented by a unique Montgomery+ coefficient, this necessarily takes us toE_τ+−1_(B).

Thus we obtain the diagram

E−_A E_B−

E_τ+−1_(A) E

+ τ−1_(B)

ρ−

θA θB

ρ+

with θA and θB denoting the above 2-isogenies, where our reasoning in fact shows that [±1]◦θB◦ρ− =ρ+◦θA. This implies that [±2]◦ρ−= ˆθB◦ρ+◦θA. Multiplication by±2 does not change the curveE_B−, so we are done.

Remark 2. Here are two examples of how the surface can help in understanding the floor. We assumep≡3 mod 8.

– Leta, a0∈S+

p be given and let [a]∈ C`(Z[ √

−p]) be an unknown ideal class such thata0 = [a]? a(action byρ+_{on the floor). By the foregoing proof this} is equivalent withτ(a0) = [a]? τ(a) (action byρ− on the surface), which on the level ofFp-isomorphism classes implies that

E_τ−_(a0₎∼= [˜a]? E

where ˜a is the ideal of Z[(1 +√−p)/2] generated by a. Clearly, in order to find [a] it suffices to find [˜a], and then simply try the 3 corresponding possibilities for a. This confirms that the factor 3 in |C`(Z[√−p])| offers little extra security to CSIDH.

– If we want a fast evaluation of the action of [(4,√−p−1)]∈ C`(Z[√−p]) on S_p+, this can be done by composing two 2-isogenies, thereby passing through the surface using τ and τ−1. We leave it as an exercise to verify that this leads to the simple formula [(4,√−p−1)]? a= 2(a−6)/(a+ 2), which was first derived in [17,§4.2].

This leaves us with the two entries corresponding to Montgomery+ _curves and primesp≡7 mod 8. This behaves less uniformly since some curves live on the surface and some live on the floor, and in any case these entries seem of lesser cryptographic interest.

Ifp≡7 mod 8 then|C`(Z[√−p])|=|C`(Z[(1 +√−p)/2])|. Hence in view of Table 1 there are exactly 3 times as many supersingular Montgomery+ coeffi-cientsa∈Fp\{±2}as there areFp-isomorphism classes of supersingular elliptic curves:

– Under the map a7→Ea+, one third of these are in a 1-to-1 correspondence withE``p(Z[

√

−p]). In particular, Theorem2remains valid forp≡7 mod 8, provided that we replaceS+

p withS + p,Z[√−p].

– According to the proof of Corollary1, the other two thirds split into

S_p,+_Z[(1+√

−p)/2],1={a∈S +

p,Z[(1+√−p)/2]|(0,0)∈/ 2E + a(Fp)}

and

S_p,+_Z[(1+√

−p)/2],2={a∈S +

p,Z[(1+√−p)/2]|(0,0)∈2E + a(Fp)},

and both sets are in a 1-to-1 correspondence with E``p(Z[(1 + √

−p)/2]). Since the instantiated versions of V´elu’s formulae map (0,0) to (0,0), in the statement of Theorem2 we are equally allowed to replaceZ[√−p] with Z[(1 +√−p)/2] andS+

p withS +

p,Z[(1+√−p)/2],i, for any choice ofi= 1,2. Remark 3. The latter setting again allows for horizontal 2-isogenies, therefore it should give rise to very similar timings as those reported upon in Section6. One minor drawback is that Alice and Bob should agree on the value of i and validate each other’s public keys as such; moreover 0 can no longer be used as a starting coefficient.

Remark 4. Alternatively, it is natural to view

S_p,+_Z[(1+√

−p)/2],1 and S +

p,Z[(1+√−p)/2],2 as two orbits under the free butnon-transitive action

ρ+:C`(Z[(1 +√−p)])×S_p,+_Z[(1+√

−p)/2]→S +

described by the same formulae. Using that the quadratic twisting mapE+ a 7→ E₋+_a jumps back and forth between the two orbits, along with the fact that [a]? Et∼_{= ([a]}−1_{? E)}t_{(see e.g. [8, Lem. 5]), the two orbits can be glued together} into a single orbit under an action by the dihedral group DihC`(Z[(1+√−p)/2]).

6

Implementation

We assume that the reader is familiar with how CSIDH is being set up in prac-tice [7]. In this section we use Theorem3and Algorithm1to design a variant of CSIDH acting onS_p− rather thanS+

p. Recall from [7] that CSIDH-512 uses the prime

p= 4· (3·. . .·373)

| {z }

73 first odd primes

·587−1≈2510.668,

and then samples exponents from the range [−5; 5]74 _{to represent an element in} the class group and let it act on 0∈S+

p, for a conjectured 128 bits of classical security. Concretely, the exponent vector (e1, . . . , e74) in this case represents the class group element (3,√−p−1)e1· · ·_(587,√−_p−₁₎e74_{. For the sake of}

comparison, we propose CSURF-512 which works overFp where

p= 23·3· (3·. . .·389)

| {z }

74 consecutive primes, skip 347 and 359

−1≈2512.880.

This prime will speed up the computation of a class group action in multiple ways. First of all, the largest isogeny we need to compute is of degree 389 instead of 587. Secondly,p+1 carries an extra factor 3 that can help with sampling points of order 3 to compute 3-isogenies. Indeed, finding an `-torsion point typically amounts to sampling a random pointP and multiplying it by (p+1)/`, which has a 1/`chance of failure (i. e. we end up in∞). For CSURF-512 we can multiply a random point P by both (p+ 1)/9 and (p+ 1)/3 to try and find a point of order 3, improving our chance of failure to only 1/9.

The biggest speed-up however stems from the fact thatp≡7 mod 8, so we now have 2 as a 75th prime to use. Furthermore 2-isogenies are very fast due to their simple and explicit formulae, see Algorithm 1, so we can sample the exponent for 2 from a much larger interval. In practice we evaluate these 2-isogenies first, without pushing through points, and then proceed with the other primes as in CSIDH.

We implemented both CSIDH-512 and CSURF-512 in Magma [6] to compare their performance. With the exception of 2-isogenies, both implementations are totally similar, making use of the (projective) Montgomery ladder, the pushing through of points, etc., the only differences being the sign switches discussed in Section 3.1. However, we did not implement any of the constant-time measures since these are orthogonal to the speed-up we described. Based on experiments, a near-optimal set to sample exponent vectors from seems to be

which results in 275·928_·1146 _≈2255.995 _{distinct secret vectors. As in} CSIDH-512, we heuristically expect that these vectors represent the elements in the class group quasi-uniformly, by mimicking the reasoning from [7, §7.1]. Note that for 3-, 5- and 7-isogenies we sample from a smaller interval, since the ease of computing the isogeny is outweighed by the high failure probability of finding the needed torsion points. Sampling from this specific set of exponent vectors gives CSURF-512 a speed-up of about 5.68% compared to CSIDH-512; this estimate is based on an experiment generating 25 000 public keys in both settings. Our source code can be found athttps://github.com/TDecru/CSURF.

As a final remark, we note that the advantage of working on the surface is expected to diminish when the underlying primepbecomes larger, since the relative contribution of 2-isogenies will decrease. This is especially relevant given the ongoing discussion about the conjectured quantum security of the protocol, see for example [5,18,3]. However, if p ≡7 mod 8 then the surface will always outperform the floor to some extent. This means that setting up these larger instantiations of the CSIDH protocol should preferably be done on the surface, in any case.

References

1. Berre Baelen. Post-quantum key-exchange: Using group actions from supersingular elliptic curve isogenies. Master’s thesis, KU Leuven, 2019.

2. Daniel J Bernstein and Tanja Lange. Montgomery curves and the Montgomery lad-der. InTopics in computational number theory inspired by Peter L. Montgomery, pages 82–115. Cambridge University Press, 2017.

3. Daniel J. Bernstein, Tanja Lange, Chloe Martindale, and Lorenz Panny. Quantum circuits for the CSIDH: optimizing quantum evaluation of isogenies. InAdvances in cryptology—EUROCRYPT 2019. Part II, volume 11477 of Lecture Notes in Comput. Sci., pages 759–789. 2019.

4. Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren. CSI-FiSh: Efficient isogeny based signatures through class group computations. In Steven Galbraith and Shiho Moriai, editors, Advances in Cryptology – ASIACRYPT 2019, Part I, pages 227–247, 2019.

5. Xavier Bonnetain and Andr´e Schrottenloher. Submerging CSIDH. IACR Cryptol-ogy ePrint Archive, page 537, 2018.

6. Wieb Bosma, John Cannon, and Catherine Playoust. The Magma algebra system. I. The user language. J. Symbolic Comput., 24(3-4):235–265, 1997. Computational algebra and number theory (London, 1993).

7. Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. CSIDH: An efficient post-quantum commutative group action. In Thomas Peyrin and Steven Galbraith, editors,Advances in Cryptology – ASIACRYPT 2018, Part III, pages 395–427, 2018.

8. Wouter Castryck, Lorenz Panny, and Frederik Vercauteren. Rational isogenies from irrational endomorphisms. IACR Cryptology ePrint Archive, 2019:1202, 2019. 9. Daniel Cervantes-V´azquez, Mathilde Chenu, Jes´us-Javier Chi-Dom´ınguez, Luca

10. Jean-Marc Couveignes. Hard homogeneous spaces. IACR Cryptology ePrint Archive, 2006:291, 2006.

11. Luca De Feo, Simon Masson, Christophe Petit, and Antonio Sanso. Verifiable delay functions from supersingular isogenies and pairings.IACR Cryptology ePrint Archive, 2019:166, 2019.

12. Luca De Feo and Michael Meyer. Threshold schemes from isogeny assumptions. IACR Cryptology ePrint Archive, 2019:1288, 2019.

13. Christina Delfs and Steven D Galbraith. Computing isogenies between supersin-gular elliptic curves over Fp. Designs, Codes and Cryptography, 78(2):425–440, 2016.

14. Xuejan Fan, Song Tian, Bao Li, and Xiu Xu. CSIDH on other form of elliptic curves. IACR Cryptology ePrint Archive, 2019:1417, 2019.

15. Aaron Hutchinson, Jason LeGrow, Brian Koziel, and Reza Azarderakhsh. Further optimizations of CSIDH: A systematic approach to efficient strategies, permuta-tions, and bound vectors. IACR Cryptology ePrint Archive, 2019:1121, 2019. 16. Greg Kuperberg. Another subexponential-time quantum algorithm for the dihedral

hidden subgroup problem. In8th Conference on the Theory of Quantum Compu-tation, Communication and Cryptography, volume 22 ofLIPIcs. Leibniz Int. Proc. Inform., pages 20–34, 2013.

17. Hiroshi Onuki and Tsuyoshi Takagi. On collisions related to an ideal class of order 3 in CSIDH. IACR Cryptology ePrint Archive, 2019:1209, 2019.

18. Chris Peikert. He gives C-sieves on the CSIDH. IACR Cryptology ePrint Archive, 2019:725, 2019.

19. Joost Renes. Computing isogenies between Montgomery curves using the action of (0,0). InInternational Conference on Post-Quantum Cryptography, pages 229–247. Springer, 2018.

20. Alexander Rostovtsev and Anton Stolbunov. Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive, 2006:145, 2006.

21. Ren´e Schoof. Nonsingular plane cubic curves over finite fields. J. Combin. Theory Ser. A, 46(2):183–211, 1987.

22. Peter W Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM review, 41(2):303–332, 1999.

23. Anton Stolbunov. Public-key encryption based on cycles of isogenous elliptic curves. Master’s thesis, Saint-Petersburg State Polytechnical University, 2004. In Russian.